The startRequestCancellation
function in the Starklane bridge contract is vulnerable to a race condition. An attacker could potentially exploit this vulnerability by calling the withdrawTokens
function with the same request payload before the cancellation process is completed, leading to potential double-spending or unauthorized token withdrawals.
The startRequestCancellation
function initiates the cancellation of a L1 to L2 message but does not immediately prevent the associated tokens from being withdrawn. There's a time window between starting the cancellation and finalizing it where the same request could still be processed by the withdrawTokens
function.
An attacker could observe the startRequestCancellation
transaction in the mempool and quickly submit a withdrawTokens
transaction with the same payload, potentially allowing them to withdraw tokens that were intended to be locked due to the cancellation process.
The impact of this vulnerability could be severe:
Double-spending: Tokens could be withdrawn even though a cancellation was initiated.
Unauthorized withdrawals: An attacker could potentially withdraw tokens they shouldn't have access to.
Inconsistent state: The L1 and L2 states could become inconsistent if a withdrawal succeeds after a cancellation is initiated.
Manual
To mitigate this vulnerability, consider implementing the following changes:
Implement a locking mechanism:
Add a mapping to track cancellation requests: mapping(bytes32 => bool) private _cancellationRequests
;
In startRequestCancellation
, set the request as being cancelled: _cancellationRequests[req.hash] = true
;
In withdrawTokens
, check if the request is being cancelled and revert if so:
Combine cancellation initiation and finalization: If possible, modify the protocol to allow for atomic cancellation, eliminating the time window between initiation and finalization.
Implement a timelock:
Add a timelock period after startRequestCancellation
during which withdrawTokens
cannot be called for the same request.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.